IoT: legal issues in relation to privacy and security
-
Upload
johan-vandendriessche -
Category
Law
-
view
114 -
download
1
Transcript of IoT: legal issues in relation to privacy and security
Click to edit Master title stylePrivacy Open Forum
Thursday, 8th of December 2016
Brussels, 8 December 2016 2
Close
Brussels, 8 December 2016
IOT: PRIVACY AND
SECURITY ISSUES FROM A
LEGAL PERSPECTIVEJOHAN VANDENDRIESSCHE
3
Brussels, 8 December 2016 4
Agenda
1. 18:30 Introduction
2. 18:45 IoT
3. 19:30 Break
4. 19:50 IoT
5. 20:45 Close
Brussels, 8 December 2016
GENERAL OVERVIEW
5
Brussels, 8 December 2016
Internet of Things (IoT)
• ITU IoT definition:
“global infrastructure for the information
society, enabling advanced services by
interconnecting (physical and virtual) things
based on existing interoperable information
and communication technologies”
• Inconsistent approach in various
definitions
• Infrastructure
• Devices
6
Brussels, 8 December 2016
Internet of Things (IoT)
• Examples
• Smart cities
• Wearables
• Automobiles
• Smart devices
• Transport systems
• Manufacturing
• Smart metering
• eHealth
7
Brussels, 8 December 2016
Overview of IoT legal issues
• Data protection and privacy
• Communications law
• Cybersecurity
• Cybercrime
• Intellectual property law
• Consumer and product liability law
• …
8
Brussels, 8 December 2016
DATA PROTECTION
ISSUES
9
Brussels, 8 December 2016
Data Protection?
• Limitations in relation to the
processing of personal data
• Very large legal interpretation to the
concept of personal data
• Not necessarily sensitive information
(although stricter rules apply to special
categories of personal data)
• Processing: “any operation or set of
operations which is performed upon
personal data […]”
10
Brussels, 8 December 2016
IoT Privacy Issues
• M2M communication: processing of
personal data?
• Is a natural person identifiable on the
basis of information originating from
devices?
• Analogy with recent case law from ECJ (IP
addresses)
11
Brussels, 8 December 2016
Data protection principles
• The data processing must comply with
specific principles
• Proportionality
• Purpose limitation
• Limited in time
• (Individual and collective) Transparency
• Data quality
• Data security
12
Brussels, 8 December 2016
IoT and the GDPR
• Stricter consent requirement
• Implicit vs explicit consent
• Mere silence is no longer sufficient
• Separate consent per purpose
• If written consent
• Clear
• Separate from other consents
• General right to withdraw consent
• No motivation
• As easy as giving consent
13
Brussels, 8 December 2016
IoT and the GDPR
• Privacy by design
• Data controller
• Appropriate technical and organisational
measures
• State of the art and cost of implementation
• Nature, scope, purposes and risk
• Integrate necessary safeguards to ensure
compliance
• Further guidance is expected
14
Brussels, 8 December 2016
IoT and the GDPR
• Privacy by default
• Technical and organisational measures
• Ensure only necessary data are processed
• Amount
• Extent of processing
• Storage period
• Accessibility
• IoT consumer products issues
15
Brussels, 8 December 2016
IoT and the GDPR
• Data Portability
• Processing based on consent or
contractual necessity
• Right to receive a copy of his personal
data
• Structured, commonly used and machine
readable format
• Right to transmit personal data to another
controller without hindrance
• If technically possible: direct transmission
between controllers
16
Brussels, 8 December 2016
IOT AND BIG DATA
17
Brussels, 8 December 2016
What is Big Data?
• Exponential growth of data
• Availability
• Processing tools (‘automated use’)
• Evolution
• (Manual) Small scale profiling
• Data mining
• Big Data
• Numerous applications
• Detect general correlations and trends
• Create specific, individual profiles
18
Brussels, 8 December 2016
Data protection issues?
• Purpose Limitation
• Data collected for a specified, specific and
legitimate purpose
• Re-use for a different purpose?
• Compatible or not?
• Criteria
• Nature of the purposes and their connections
• Circumstances surrouding data collection
• Privacy expectations of the data subjects
• Personal data involved and impact on the data
subject
• Safeguards for fair processing
• Specific framework for statistical processing19
Brussels, 8 December 2016
Proportionality
• Processing must be limited to the
personal data that is strictly necessary
for the purpose
• Do I need this personal data?
• Big database containing a lot of information?
• Combination of databases?
20
Brussels, 8 December 2016
Other issues
• Notice obligation
• Specific information to be provided to data
subjects
• What is required in case of big data?
• Data quality
• Impact of profiling may be substantial:
impact on data quality requirements?
• Data Security
• Big data = big impact of data breaches?
21
Brussels, 8 December 2016
Big data and GDPR
• Some issues
• Restrictions in terms of automated
decision making
• DPIA
• DPO
• Data breach notification
22
Brussels, 8 December 2016
Data Protection Impact Assessment
• Impact assessment in relation to
protection of personal data
• High risk
• Systemic and extensive profiling
• Processing on a large scale of special
categories of data
• Systematic monitoring of publicly accessible
areas on a large scale
• …
• Guidance from supervisory authority
23
Brussels, 8 December 2016
Data Protection Impact Assessment
• DPIA contents
• Description of processing
• Assessment of necessity and
proportionality of processing
• Assessment of risks
• Measures to address risk
• If appropriate: implicate data subjects
or their representatives
24
Brussels, 8 December 2016
DPO
• Mandatory DPO?
• Public authority or body
• Core activity requiring regular and
systematic monitoring of data subjects
• Core activities consisting of processing
on a large scale of special categories of
personal data
• Required by member state law
• Groups may designate a single DPO
25
Brussels, 8 December 2016
IOT AND END USER
EQUIPMENT ACCESS
26
Brussels, 8 December 2016
Access to end user equipment
• Hacking: “the unauthorized intrusion in
or maintenance of access to an IT
system” (article 550bis Criminal Code)• Internal hacking
• Person with access rights that exceeds such rights
• With a fraudulent purpose or with the purpose to cause damage
• External hacking
• Person without access rights
• Knowingly
• There is no requirement of breach of
security measures
27
Brussels, 8 December 2016
“Cookie” legislation
• End user device
• Storage of information
• Access to stored information
• Informed consent requirement
• Exceptions
• Communication service
• Necessary for the provision of a service at the
request of an end user
• Right to withdraw consent
28
Brussels, 8 December 2016
SECURITY ISSUES
29
Brussels, 8 December 2016
IoT security obligations
• Overview
• General principles of cybersecurity
• Critical Infrastructures legislation
• General
• NIS
• Communications network security
30
Brussels, 8 December 2016
Legal Approach to Cyber Security
• Information Security: CIA
• Availability and integrity of information
systems and information
• Exclusivity, confidentiality and protection
of information systems and information
• Information security is a typical
example of lagging legislation
• High technical / organizational maturity
• Low legal maturity
Brussels, 8 December 2016
Cybersecurity legislation
• No consolidated set of laws and
regulations
• Cybercrime
• Data Protection
• Secrecy of (electronic) communication
• Intellectual Property Rights (copyright,
patents, software …)
• Critical Infrastructures
• General regulations and sector-based
regulations
32
Brussels, 8 December 2016
Cybersecurity legislation
• Generic cyber security and/or
information security law?
• General due diligence and care obligation
• (Indirect) Compliance obligation
• (Indirect) Obligation to ensure information
security?
• Large contractual scope: NDAs, SLAs,
IP contracts, IT policies, self-
regulation, …
• Contracts and policies often impose
security rules in relation to IT
Brussels, 8 December 2016
Critical infrastructures
• EC Directive 2008/114/EC
• Critical infrastructure and European
critical infrastructure
• Asset, system or part thereof
• Essential
• Societal functions, health, safety,
security, economic or social well-being
• Significant impact in case of disruption or
destruction
Brussels, 8 December 2016
Critical infrastructures
• Sector limitation at the EU level
• Energy
• Transportation
• Broader scope in Belgium
• Financial sector (NBB)
• Telecommunications (BIPT)
• IoT may be covered depending on
sector of application
35
Brussels, 8 December 2016
Critical infrastructures
• Obligation to implement an operator security plan (OSP)• Identification of critical infrastructure assets
• Existing and planned security solutions
• Methodology• Identification of important assets
• Conduct of a risk analysis
• Identification, selection and prioritization of counter-measures and procedures• Permanent measures
• Graduated measures
Brussels, 8 December 2016
Critical infrastructures
• EC Directive 2016/1148/EU – Network
and Information Security
• Obligations for member states: adoption
of a national strategy for NIS &
identification of operators of essential
services
• Obligations for operators of essential
services and for digital service providers
• Implementation deadline: 9 May 2018
Brussels, 8 December 2016
Critical infrastructures
• Key concepts
• Network and information system (NIS)
• Operator of an essential service
• Service that is essential for the maintenance
of critical societal and/or economic activities
• Provision of the services depends on NIS
• Incident would have significant disruptive
effects
• Digital service provider
38
Brussels, 8 December 2016
Critical infrastructures
• Security obligations of operators of essential services in relation to network and information systems
• Risk management• Appropriate and proportionate technical and
organizational measures to manage risk
• Appropriate level of security in view of the risks, taking into account the state of the art
• Incident management• Appropriate measures to prevent and minimize impact of
incident affecting NIS used for essential services and to ensure continuity
• Breach notification obligation in case of significant impact• Provided information is confidential
• Public may be informed by the competent authority or CSIRT
Brussels, 8 December 2016
Critical infrastructures
• Security obligations of digital service providers in relation to network and information systems
• Risk management
• Focus on security, incident handling, business continuity management, monitoring, auditing and testing and compliance with international standards
• Incident management
Brussels, 8 December 2016
Communications law
• Obligations
• Information obligations in relation to
security
• Security obligations
• Notification obligation
• Who?
• Operators of public communication
networks
• Providers of public electronic
communications services
• BIPT may issue binding instructions41
Brussels, 8 December 2016
Communications law
• General security obligation
• Appropriate technical and organisational
security measures
• Commensurate to the risks (taking into
account the current state of technology)
• Protect the service and/or the network
• Mitigate impact on end users and
interconnected networks
• Anti-spam service
42
Brussels, 8 December 2016
Communications law
• Personal data involved?
• Access restriction (‘need to know’)
• Stored data must be protected against
unlawful processing
• Security policy must be implemented
• Double use with data protection
legislation?
43
Brussels, 8 December 2016
Communications law
• Network operators
• Ensure integrity of their network to ensure
continuity of services using these
networks
• Ensure to the greatest extent possible the
availability of public telephony services
over their network in case of network
disruption or force majeure
44
Brussels, 8 December 2016 45
Contact details
Johan Vandendriessche
Partner – Crosslaw
Visiting Professor ICT Law – UGent
Visiting Professor ICT & Data Protection Law
– HoWest
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
Brussels, 8 December 2016 46
ISACA BELGIUM